I’m performing a CIS-CAT scan and I’m questioning the results of the scanner being poorly designed. Now I am running on Debian 9 which isn’t officially supported by the scanner but I can get it to run and I’ve implemented 95% of their requirements and can successfully scan using the following command:
sudo ./CIS-CAT.sh -f -D ignore.platform.mismatch=true -D include.csv.remediation=true -csv
/bin has permissions of drwxr-x–x and they want me to remove execute for other, however if I
"chmod o-x /bin" then a regular user cannot execute standard commands like
"ls" Is there a different approach to this?
Same thing with the following: /dev /var/cache/man /run/systemd /run/dbus /run/sshd
which have permissions of drwxr-xr-x. CIS-CAT wants me to remove other read and execute but it’s permissions get reset on reboot.